Data Processing Agreement

Last updated: April 6, 2026

TL;DR: When you use WPPulse to monitor your WordPress sites, error reports may contain personal data from your site visitors. You are the data controller, and we are the data processor. This agreement defines how we handle that data on your behalf, in compliance with GDPR Article 28.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Data Processor

Fizteq Solutions SRL

Str. Cpt. Nicolae Licaret, nr. 6, bl. PM43, sc. A, et. 4, ap. 23, Sector 3, Bucharest, Romania

CUI: RO 37187316 · Reg. Com.: J2017003144400

Data Controller

You, the customer ("Controller"), who has created a WPPulse account and installed the WPPulse WordPress plugin on one or more WordPress sites.

This DPA supplements the Terms of Service and Privacy Policy, and forms part of the agreement between the parties. By using WPPulse, you accept this DPA.

2. Scope and Purpose of Processing

The Processor processes personal data on behalf of the Controller solely to provide the WPPulse monitoring service, including:

  • Receiving and storing error reports, plugin events, security events, and uptime data from the Controller's WordPress sites.
  • Grouping and deduplicating events for display in the dashboard.
  • Sending alert notifications to the Controller via configured channels.
  • Providing data export and deletion capabilities.

3. Types of Personal Data Processed

The following categories of personal data may be included in error reports sent by the WordPress plugin:

Category Examples
IP addresses Visitor IP addresses from the request context of an error event.
Request URLs The URL path that triggered the error (query strings are stripped).
User identifiers WordPress user IDs or usernames in the context of security events (hashed before transmission).
HTTP headers Sanitized request headers (authorization, cookie, and token headers are always filtered).
Error context Stack traces and error messages that may incidentally contain personal data.

Data subjects: Visitors and users of the Controller's WordPress sites whose requests trigger monitored events.

4. Duration of Processing

Processing begins when the Controller installs the WPPulse plugin and configures it with an API key, and continues for the duration of the Controller's WPPulse account. Upon account deletion, all processed data is permanently deleted as described in our Privacy Policy.

5. Processor Obligations

The Processor shall:

  1. Process personal data only on documented instructions from the Controller, as defined by the service configuration and this DPA.
  2. Ensure that persons authorised to process personal data have committed to confidentiality.
  3. Implement appropriate technical and organisational measures to ensure security of processing (see Section 7).
  4. Not engage another processor without prior written authorisation from the Controller. The current list of sub-processors is provided in Section 8.
  5. Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) by providing data export and deletion capabilities.
  6. Assist the Controller in ensuring compliance with obligations regarding security, breach notification, impact assessments, and prior consultation (Articles 32–36 GDPR).
  7. At the Controller's choice, delete or return all personal data upon termination of the service, and delete existing copies unless EU or member state law requires storage.
  8. Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits and inspections.
  9. Immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other EU/member state data protection provisions.

6. Controller Obligations

The Controller shall:

  1. Ensure that there is a lawful basis for the personal data transmitted to WPPulse (e.g., legitimate interest for error monitoring and security).
  2. Inform data subjects about the use of WPPulse as a data processor in the Controller's own privacy policy.
  3. Configure the WPPulse plugin's sensitive data filtering appropriately for the Controller's data protection requirements.
  4. Not intentionally transmit special categories of personal data (Article 9 GDPR) to WPPulse.

7. Technical and Organisational Measures

The Processor implements the following measures to protect personal data:

Encryption:

  • All API communication over HTTPS (TLS encryption in transit)
  • Notification channel credentials encrypted at rest (AES-256)
  • Session data encrypted at rest
  • API keys stored as irreversible SHA-256 hashes
  • User passwords hashed with Bcrypt

Access control:

  • Data isolation per customer account — users can only access their own sites and data
  • API key authentication with domain validation
  • Rate limiting on all API and authentication endpoints
  • Two-factor authentication available for user accounts

Data minimisation:

  • Defense-in-depth sensitive data filtering at plugin and server level
  • Automatic redaction of passwords, tokens, credit cards, and PII from error reports
  • Query strings stripped from URLs
  • Sensitive data redacted from application logs

Infrastructure:

  • Data hosted in Bucharest, Romania (EU)
  • Security headers on all responses (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
  • Application logs rotated and deleted after 14 days

8. Sub-Processors

The Processor uses the following sub-processors. The Controller authorises the use of these sub-processors by accepting this DPA:

Sub-Processor Purpose Location
Hosting provider Server infrastructure, database hosting, compute Bucharest, Romania (EU)
Newsman (Dazoot Software SRL) Transactional email delivery (alerts, verification, account notifications) Romania (EU)
Lemon Squeezy (Lemon Squeezy, Inc.) Payment processing, billing, EU VAT compliance. Full card details handled by Lemon Squeezy; only card brand and last 4 digits stored locally. United States

User-activated services: When the Controller enables notification channels, event summary data is transmitted to the following services at the Controller's explicit instruction:

Service Purpose Location
Telegram Alert delivery via Telegram Bot API Various (non-EU possible)
Discord Alert delivery via Discord webhooks United States
Slack Alert delivery via Slack webhooks United States

The Processor will inform the Controller of any intended changes to the sub-processor list, giving the Controller the opportunity to object.

9. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

  • A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
  • The name and contact details of the Processor's contact point for further information.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.

10. Data Return and Deletion

Upon termination of the service:

  • Data export: The Controller can export all data in JSON format from Account Settings before deleting their account.
  • Data deletion: Upon account deletion, all personal data is permanently deleted from our systems, including all sites, issues, occurrences, uptime data, notifications, and sessions.
  • Automatic retention: Event data is automatically deleted after the plan's retention period (7–180 days), even without account deletion.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audit requests should be submitted to wppulse@fizteq.com with at least 30 days' notice.

12. International Data Transfers

The Processor transfers personal data outside the European Economic Area (EEA) in the following cases:

  • Payment processing: Subscription and billing data is processed by Lemon Squeezy, Inc. in the United States under their Data Processing Agreement. Only card brand and last 4 digits are stored locally; full card details are handled entirely by Lemon Squeezy.
  • Notification channels: When the Controller explicitly activates notification channels (Telegram, Discord, Slack), event summaries are transmitted to services outside the EEA. These transfers are made at the Controller's documented instruction and are limited to alert summary data (error type, message excerpt, site name, URL).

13. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

14. Contact

For questions about this Data Processing Agreement, contact:

Fizteq Solutions SRL

Email: wppulse@fizteq.com